Trust Center

Security & Compliance

Your links, your data — protected by design.

Linkly is built privacy-first on Google Cloud and Cloudflare, with AES-256 encryption, GDPR-aligned data handling, and a no-PII analytics model that 100,000+ marketing teams worldwide rely on every day.

Talk to our teamView status page →
AES-256
Encryption at rest
TLS 1.2+
Encryption in transit
Multi-AZ
Redundant infrastructure
0 PII
Stored in click analytics
Certifications & frameworks

Standards we align with

Independently recognized frameworks that shape how we handle your data.

GDPR
LINKLY
GDPR
EU data protection
CCPA
LINKLY
CCPA
California privacy
PCI DSS
LINKLY
PCI DSS
Payments handled by Stripe
SCC
LINKLY
SCC
EU data transfers
How we protect you

Four pillars of Linkly security

Built on enterprise-grade cloud infrastructure, defended at the edge, and operated with a privacy-first mindset.

Encrypted everywhere

All data is encrypted at rest with AES-256 and rotating keys, and in transit with Google-managed TLS certificates. Account credentials are stored as one-way encrypted hashes.

Resilient infrastructure

Linkly runs on Google Cloud with multi-availability-zone replication and daily backups to AWS for disaster recovery. Public short-link domains are served from Cloudflare's global edge.

Edge-layer defense

Cloudflare DDoS protection, bot mitigation and WAF rules front our public endpoints. Accounts engaged in DDoS or credential-stuffing activity are suspended on detection.

Privacy-first analytics

We don't store personally identifiable click data. IP addresses are used in-memory for geolocation and ISP lookup, then discarded — only aggregated, anonymous click data is retained.

Data & Privacy

GDPR-compliant, by a European company

Linkly is registered in England & Wales. Our data handling is built to satisfy European privacy expectations from day one.

What we do

  • Standard Contractual Clauses with all data processors
  • Signable Data Processing Agreement available on request
  • Sub-processors limited to Stripe, Google Cloud, AWS, Amazon SES
  • Right to access, export and delete your data at any time
  • Account data purged 30 days after account deletion

What we don't do

  • Store personally identifiable click data — only aggregates
  • Sell or rent customer data to third parties
  • Use customer click data to train external ML models
  • Mix customer data across tenants
  • Retain raw IP addresses after geolocation lookup
Read the full Privacy Policy|Data Processing Agreement|GDPR overview
Compliance

Compliance posture

Where we stand today, and what we're actively working toward.

Today

GDPR

European-registered entity with SCCs, signable DPA and full data subject rights workflow.

Today

PCI DSS (via Stripe)

All payment data is handled by Stripe — Linkly never sees or stores card numbers.

Today

Anti-spam & abuse

Strict anti-spam policy with automated and manual review, plus rapid takedown of malicious links.

Today

SCCs in place

Standard Contractual Clauses signed with all data processors handling EU data transfers.

Today

Signable DPA

A standard Data Processing Agreement is available on request for customers who need one countersigned.

Today

Privacy-first analytics

No personally identifiable click data is stored — only aggregated, anonymous analytics.

Planned

SOC 2 Type II

Formal SOC 2 Type II audit is on our roadmap. If you need a security questionnaire before certification, contact our team.

Transparency

Sub-processors

The handful of trusted vendors that help us deliver Linkly. We update this list whenever it changes.

VendorPurpose
Google CloudPrimary hosting, database, object storage
GigalixirApplication platform (runs on Google Cloud)
CloudflareCDN, DDoS protection, edge workers for short-link domains
AWSEncrypted off-site backups
StripePayment processing
Amazon SESTransactional email delivery

Report a vulnerability

We take security disclosures seriously. If you've discovered a vulnerability or have a security question, our team will respond within one business day.

security@linklyhq.comRequest a security questionnaire
FAQ

Frequently asked questions

Where is my data stored?+

Primary data is stored on Google Cloud, with encrypted backups mirrored to AWS. Public short-link traffic is served from Cloudflare's global edge. If you have specific data residency requirements, contact our team and we can talk through options.

Do you sign DPAs?+

Yes. A standard Data Processing Agreement is available — see our DPA page or contact our team to countersign.

Do you support SSO?+

Yes. Single sign-on via SAML and two-factor authentication (2FA) are available on the Enterprise plan, along with an activity audit log. Contact sales to get it set up for your organization.

How long do you keep click data?+

Aggregated, anonymous click analytics are retained for 5 years by default. Account-level data is deleted 30 days after account closure.

How do I report a security issue?+

Email security@linklyhq.com. We acknowledge reports within one business day and work with reporters in good faith on disclosure.

Need more detail for your security review?

We're happy to walk through our architecture, complete vendor questionnaires, and provide our latest documentation under NDA.

Contact our security team